This standard defines the appropriate practices for connecting a web application to a database.
Connections from web pages and applications to databases are an important aspect of providing dynamic content to users. ITaP Web Services strives to maintain the integrity of its web servers and all systems with which they interact. To achieve this, certain principles of operation govern these connections.
Databases provide much of the power behind dynamic content for web pages and applications. They also provide new vectors for web site compromise. The following principles apply to all database connections made from web pages and applications hosted on ITaP Web Services’ systems:
Supported Database Types
- ITaP Web Services supports connections to the following ITaP-administered databases:
- Microsoft SQL Server
- Connections to non-ITaP-administered databases may work, but are not supported.
- Databases stored on web servers (e.g. Microsoft Access) are strictly prohibited!
- Database connections to ITaP-administered databases must be encrypted. All other database connections should be encrypted whenever possible, and in some cases must be encrypted depending on data classification.
- Database passwords shall never be put in email, tickets, or any other unencrypted written electronic communication in compliance with University policy VII.B.1 and associated best practices documents. Passwords may only be communicated over the phone, in person, or using another University-approved method.
- Web Services will not provide database password information to anyone. The developer must contact the Database Administrator, Data Steward, or Database Owner for this information.
- Efforts must be made to guard against SQL injection and other web-to-database attack vectors. Vulnerability scanning software is made available by ITaP to developers for use in identifying and correcting such vulnerabilities before code is deployed to production.
Connection Definition Best Practices
- Database connections should use a separate account dedicated to web access. This account should have minimal privileges in the database.
- Open connection interfaces (such as ODBC and JDBC) are recommended. Some of these interfaces use Data Source Name (DSN) definitions that are managed by ITaP Web Services and can be created or changed upon request.
- Developers may choose to use alternative connection interfaces provided by their chosen programming language. If so, all information related to the connection to the database is the responsibility of the developer. ITaP Web Services does not manage these connection definitions.
- Whenever the platform allows, files containing database credentials or other sensitive details should be stored outside of the web document tree to prevent inadvertent exposure of the information they contain. ITaP Web Services provides (or will provide on request) a DATA directory specifically configured outside the web document tree that is still accessible to web applications, and can be referenced by the site.
- Certain configuration files containing database connection information, such as IIS’ web.config and WordPress’ wp-config.php, must reside in the web document tree, but are protected by other application security measures. Such applications, if not already scanned for vulnerabilities, should be scanned prior to deployment to production to ensure the built-in safeguards work as designed.
Roles and Responsibilities
- Data Stewards and Database Owners are the authorizing contacts for connections from web applications to databases.
- Database Owners are responsible for requesting new databases unless the database is required by an ITaP Web Services hosting platform (i.e. WordPress).
Reviewed: May 23, 2016